User Subtype Messages
Vendor Documentation
Classification
| Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| User Subtype Messages | Base Rule | User Information | Information |
| User Logon | Sub Rule | User Logon | Authentication Success |
| User Logon | Sub Rule | User Logon | Authentication Success |
| User Logoff | Sub Rule | User Logoff | Authentication Success |
| User Logout | Sub Rule | User Logoff | Authentication Success |
| Authentication Timed Out | Sub Rule | Authentication Timeout | Other Audit |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
| logid | <vmid> | Number | The ID (logid) is a 10-digit field. It is a unique identifier for that specific log. |
| level | <severity> | Text\String | Each log entry contains a Level (level) field that indicates the estimated severity of the event that caused the log entry. |
| srcip | <sip> | IP Address | IP address of the traffic’s origin. |
| user | <login> | Text\String | N/A |
| server | <domainorigin> | Text\String | N/A |
| msg | <object> | Text\String | N/A |
| logdesc | <subject> <vendorinfo> | Text\String | N/A |
| group | <group> | Text\String | N/A |
| action | <command> | Text\String | N/A |
| status | <status> <tag1> | Text\String | N/A |